Asked by:

ICACLS Syntax issues with backup / restore

Question

I am doing some testing with Windows Server 2008 R2 with NTFS permissions. I have a d: (multiple folders and sub-folders) drive with an existing ntfs permissions. I want to make a backup of the settings using icacls so I can restore when needed.

So, here is what I am doing and the issue:

1. Open an elevated cmd prompt.

2. Run "icacls d:\ /save ntfsDdrive.txt /t /c" without the quotes. No issues.

3. Run "icacls d:\ /restore ntfsDdrive.txt" without the quotes and I get the following:

Thank you for response and the workaround. I don't mind using another tool, however, icacls.exe is a native tool and it should work as advertised. I will test the freeware you suggested to get around the issue I am having with icacls.exe
but would really like to know the answer to my question.

I've been trying to find an answer to this conundrum for some time now, albeit for the SystemDrive, the security-state of which I'd like to capture. Even specifying just root on a Windows 2003 (x64) Ent Server, along the lines of what
djyeater suggested, only up to the first (alphabetically) sorted directory is reported -- "Documents and Settings" as well root's files (excepting in-use files) -- on the system drive. Here's the command executed by a local admin
in a command prompt window focused on root (C:\):

Like Colorjet3, I tend to rely on native capabilities where practicable, and am therefore really interested in learning why the utility can not be trusted to perform as advertised. BTW. The version of icacls.exe I'm explicitly
using is 5.2.3790.3959 and 49.5 KB in size. Note also that the x32 version (in SysWOW64) has the same version number, but is only 39 KB in size, and reports the exact same results.

What's up with icacls.exe? Is this an undocumented feature, or am I doing something wrong?

I may be a little late to the party here but I think I've found out what your problem is:

1. Run "icacls d:\ /save ntfsDdrive.txt /t /c" without the quotes. No issues.

2. Run "icacls d:\ /restore ntfsDdrive.txt"

Like you believe, your second step is where the failure occurs. The icacls script does NOT run from the directory you wish to restore. I've been trying to figure out all morning why the file path is specified is invalid as I had mine replicated "C:\test
directory\test directory". I later edited the ACL file by removing the folder name on the first line, which evidently gave me "C:\test directory\ is not a valid filepath"

I then progressed further by created a destination C:\Test Directory\Test and saving the ACL file with the /T switch active. After altering the permissions, I ran a restore for C:\Test Directory\Test from the C:\Test Directory folder. This completed
successfully and permissions were replaced as they were before, without affecting the parent "Test Directory".

1. run "icacls C:\test directory\test /save TestACL.txt"

2. run "icacls C:\test directory /restore TestACL.txt"

I'm not sure how you'd be able to run a permission replacement of the entire D:\ as it cannot go any higher up. I recommend taking ACL files of all sub-directories of D:\ and running them all from D:\ when the time comes. I hope this helps you guys out,
it only took me two and a half hours to figure out -.-

i know it's realy late but for those who need to fix that , it could be usefull.

to save and restore a entire drive, do it like this

﻿icacls.exe d:\* /save ntfspermitssion.txt /t /c

icacls.exe d:\ /restore ntfspermission.txt /t /c

it did the trick for me.

Hope this help someone.﻿﻿

The "﻿icacls.exe d:\* /save ntfspermitssion.txt /t /c" command will not save the FTFS permissions from the D: root itself though. I'm having the same problem trying to find a way to save the security settings from the root file down, and then being
able to restore from that. The save works, but the restore does not (as mentioned above).

This could be a long shot, but if you're trying to restore an entire drive, have you tried setting up a manually mapped drive with a shortcut in it to the drive you want to restore?
I haven't tried this (As I've had no intention of restoring an entire drive), and I'd have little faith that such a thing would work.

Another alternative could be to open the ACL File as a text file and remove the specified directory from the file. Now, I'm no expert on ICACLS or ACL Files and my initial thoughts on this would be the file would become corrupt... however, if you want to
try it on a blank drive with just test folders and test documents to see what actually happens, it's another way of potentially finding out how to restore an entire drive.

The only way I know you can restore an entire drive (excluding files within the root of the drive) is to create an ACL File for all sub-folders of the root.

Long reply on this, so apologies. After much work on this, it turns out that the format of the save command simply doesn't allow a restore on a root folder level. It's a limitation of the the command. I have found workarounds for it, such
as mapping drives, but it is less than perfect. Oh well. Thanks for the help everybody. (I didn't mark an answer, as there really wasn't a solution).

I know that this is a really old thread, but I'm hoping that the solution will help others that may still be having this problem.

The issue that the original poster had is because icacls puts a blank line at the beginning of the file if you run the backup from the root of a drive. That changes the line positioning so that the restore interprets the permissions line as the filename
line for each subsequent pair.

Filename
ACL
Filename
ACL

Just use a text editor to remove that blank line and the restore will work just fine.